Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Oct 7th, 2008, 12:03pm
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   RootKits and "Spiceworks"		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: RootKits and "Spiceworks"  (Read 425 times)
wilpower
Junior Member
**





   


Posts: 67
RootKits and "Spiceworks"
« on: Jul 4th, 2008, 2:02pm »		 Quote Quote  Modify Modify
Hey Siliconman01: Hoping you are around to assist or maybe even GC? Roll Eyes
 
I have been doing a bunch of reading about 'Rootkit' threats and growing concern these babies are far more inciduous and difficult to "even detect" deep in the OS.
Anyway I decided to look around some by DL and running F-Secure BlackLight RootKit Illiminater. The scan uncovered 37 hits of hidden files: 3 I can identify and am aware of, hut 34 entries have to do with "Spiceworks/ruby.......". I goggled Spiceworks and visited a couple of forums to see a couple of file entries BlackLight found were also mentioned in the basiclly
benign discussions surrounding Spiceworks being great for Ads and IT Pro's.  
My thing is I have no idea what this is doing in my OS, I have never DL anything called Spiceworks, not do I have any idea what the function or purpose of these hidden files/entries uncovered by BlackLight!
Now this whole thing got me thinking about whether there could be a rootkit entrenched deep in my system and I not having any idea Huh
So I decided to run as many conventional scans my OS is equipped to run......and there's a bunch!  
NO SUSPICIOUS HITS ON ANYTHING.
Just out of the blue I decided to compare the #of Packets sent from my computer to the #of Packets being received!  
Oddly enough I have noticed that there are far more packets being sent from my computer then being received ; to the tune of 100,000plus packets sent from my computer to 1000-2000 packets received in a typical 6-8hour period.
Is it typical to have such a lop-sided amount of traffic (way more packets sent then received) on numerous occassion?
Also is there software/freeware available that can track the "source and the destintation" of each Info. Packet sent as well as received, and the quantity as well"?
More to the point however is, I would like to request some assistance in the viewing and annalisys of some appropriate discovery scan logs possibly by ComboFix and Hyjack This and possibly a program that is specifically written to detect "Rootkits" I myself do not feel fully qualified to sift through the resulting logs in hopes of discoverying a deep rooted problem. Cool
Any help appreciated.
« Last Edit: Jul 4th, 2008, 2:08pm by wilpower » IP Logged
Use of COMODO Internet Security products is not only advised; use is "Highly Recommended"

http://Comodo.com

LIVE LIKE YOU MEAN IT! THINK LIKE YOU CARE!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5661
Re: RootKits and "Spiceworks"
« Reply #1 on: Jul 4th, 2008, 3:21pm »		 Quote Quote  Modify Modify
Quote:
Oddly enough I have noticed that there are far more packets being sent from my computer then being received ; to the tune of 100,000plus packets sent from my computer to 1000-2000 packets received in a typical 6-8hour period.
Is it typical to have such a lop-sided amount of traffic (way more packets sent then received) on numerous occassion?
 
Also is there software/freeware available that can track the "source and the destintation" of each Info. Packet sent as well as received, and the quantity as well"?

 
I've never spent a lot of time or effort on studying the above so I really don't know how to direct you on the best way to analyze the above.  The gurus over at the DSLReports forum probably can send you in the right direction on packet sniffing.
 
Quote:
More to the point however is, I would like to request some assistance in the viewing and annalisys of some appropriate discovery scan logs possibly by ComboFix and Hyjack This and possibly a program that is specifically written to detect "Rootkits" I myself do not feel fully qualified to sift through the resulting logs in hopes of discoverying a deep rooted problem.  

 
I'll be more than happy to review your HJT scan logs and a Combofix run log.  Combofix uses the GMER rootkit detector so it will be good for seeing if perhaps Blacklite is over-responding.
 
1.  Download/install program Hijackthis per the instructions in the link below.  
 
http://www.misec.net/forum/board/FAQ/1163329424  
 
2.  Go to the link below and download program Combofix.exe and save it on your desktop.  
 
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
 
3.  Temporarily de-activate all your security programs EXCEPT your software firewall.  
 
4.  Close down as many programs as you can (programs in the Notification Tray-  next to the clock).  
 
5.  Close your browser.  
 
6.  Double click on Combofix.exe to execute it and follow the instructions.  
 
Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
 
-  When Combofix.exe is finished, it will save a log on your system.    
 
7.  Post the Combofix log back here  
 
8.  Run Hijackthis and post a HiJackthis scan log back here.  DO NOT fix anything with HJT...just post the scan log.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
wilpower
Junior Member
**





   


Posts: 67
Re: RootKits and "Spiceworks"
« Reply #2 on: Jul 4th, 2008, 4:27pm »		 Quote Quote  Modify Modify
Thanks apile Siliconman01. Grin
 
First the  Combofix log"
 
 
ComboFix 08-07-04.1 - Will Schmidt 2008-07-04 14:16:38.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.647 [GMT -7:00]
Running from: C:\Documents and Settings\Will Schmidt\Desktop\ComboFix.exe
 * Created a new restore point
 
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\WINDOWS\msvrc20.dll
 
.
(((((((((((((((((((((((((   Files Created from 2008-06-04 to 2008-07-04  )))))))))))))))))))))))))))))))
.
 
2008-07-04 14:02 . 2008-02-22 02:3369,632--a------C:\WINDOWS\system32\javacpl.cpl
2008-07-04 13:29 . 2008-07-04 13:40<DIR>d--------C:\Documents and Settings\Will Schmidt\.SunDownloadManager
2008-07-02 16:35 . 2008-07-04 09:54<DIR>d--------C:\RootKit Detection
2008-07-02 12:58 . 2008-07-04 14:14<DIR>d--------C:\Documents and Settings\Will Schmidt\Application Data\Vista Start Menu
2008-06-10 16:40 . 2008-06-13 06:10272,128-----c---C:\WINDOWS\system32\dllcache\bthport.sys
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 21:04---------d-----wC:\Program Files\Java
2008-07-04 20:01---------d-----wC:\Program Files\VisualRoute 2008
2008-07-04 19:53---------d-----wC:\Documents and Settings\Will Schmidt\Application Data\MSGTAG
2008-07-04 17:13---------d-----wC:\Program Files\LetMeSee This
2008-07-04 17:08---------d-----wC:\Documents and Settings\Will Schmidt\Application Data\MailWasherPro
2008-07-03 20:47---------d-----wC:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-03 16:42---------d-----wC:\Program Files\CryptoMite
2008-07-02 20:36---------d-----wC:\Program Files\POP Peeper
2008-07-02 19:53---------d-----wC:\Program Files\Vista Start Menu
2008-07-01 20:46---------d-----wC:\Program Files\SUPERAntiSpyware
2008-07-01 16:27---------d---a-wC:\Documents and Settings\All Users\Application Data\TEMP
2008-07-01 16:27---------d-----wC:\Program Files\SpywareGuard
2008-07-01 16:26---------d-----wC:\Program Files\SpywareBlaster
2008-06-13 13:10272,128------wC:\WINDOWS\system32\drivers\bthport.sys
2008-06-05 23:46---------d-----wC:\Program Files\TrojanHunter 5.0
2008-05-24 14:30---------d-----wC:\Program Files\SiteAdvisor
2008-05-17 19:30---------d-----wC:\Program Files\NEO Pro
2008-05-17 19:30---------d-----wC:\Program Files\Common Files\Wise Installation Wizard
2008-05-15 00:11---------d-----wC:\Program Files\LimeWire
2008-05-11 16:141,354,160----a-wC:\cmxp170.zip
2008-05-09 00:44---------d-----wC:\Documents and Settings\All Users\Application Data\Comodo
2008-05-09 00:41---------d-----wC:\Program Files\Comodo
2008-05-08 12:28202,752----a-wC:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:181,287,680----a-wC:\WINDOWS\system32\quartz.dll
2008-04-24 05:163,591,680----a-wC:\WINDOWS\system32\SET66.tmp
2008-04-23 04:16826,368----a-wC:\WINDOWS\system32\wininet.dll
2008-04-23 04:16826,368----a-wC:\WINDOWS\system32\SET5D.tmp
2008-04-23 04:1663,488----a-wC:\WINDOWS\system32\SET75.tmp
2008-04-23 04:166,066,176----a-wC:\WINDOWS\system32\SET6E.tmp
2008-04-23 04:1652,224----a-wC:\WINDOWS\system32\SET67.tmp
2008-04-23 04:16459,264----a-wC:\WINDOWS\system32\SET68.tmp
2008-04-23 04:16383,488----a-wC:\WINDOWS\system32\SET70.tmp
2008-04-23 04:16267,776----a-wC:\WINDOWS\system32\SET6C.tmp
2008-04-23 04:16233,472----a-wC:\WINDOWS\system32\SET5E.tmp
2008-04-23 04:16124,928----a-wC:\WINDOWS\system32\SET78.tmp
2008-04-23 04:16105,984----a-wC:\WINDOWS\system32\SET60.tmp
2008-04-23 04:161,159,680----a-wC:\WINDOWS\system32\SET5F.tmp
2007-04-03 14:1930,601----a-wC:\Documents and Settings\Will Schmidt\x.exe
2007-03-11 19:3714----a-wC:\Documents and Settings\Will Schmidt\getfile.dat
2004-08-12 13:3194,784--sh--wC:\WINDOWS\twain.dll
2004-08-12 13:3150,688--sh--wC:\WINDOWS\twain_32.dll
2004-08-12 13:211,028,096--sh--wC:\WINDOWS\system32\mfc42.dll
2004-08-12 13:2354,784--sh--wC:\WINDOWS\system32\msvcirt.dll
2004-08-12 13:23413,696--sh--wC:\WINDOWS\system32\msvcp60.dll
2004-08-12 13:23343,040--sh--wC:\WINDOWS\system32\msvcrt.dll
2007-12-04 18:38550,912--sh--wC:\WINDOWS\system32\oleaut32.dll
2004-08-12 13:2583,456--sh--wC:\WINDOWS\system32\olepro32.dll
2004-08-12 13:2711,776--sh--wC:\WINDOWS\system32\regsvr32.exe
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown  
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSGTAG"="C:\Program Files\MSGTAG Status\MSGTAGStatus.exe" [2007-07-10 21:38 1820160]
"DS Clock"="C:\Program Files\DS Clock\dsclock.exe" [2005-01-04 01:19 331776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 06:18 15360]
"Calendarscope"="C:\Program Files\Calendarscope\cs.exe" [2007-03-26 19:05 2027586]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-23 16:01 68856]
"!1_ProcessGuard_Startup"="C:\Program Files\ProcessGuard\procguard.exe" [2005-01-20 15:24 280064]
"AutoSizer"="C:\Program Files\AutoSizer\AutoSizer.exe" [2006-12-15 07:57 126976]
"VistaStartMenu"="C:\Program Files\Vista Start Menu\VistaStartMenu.exe" [2008-06-27 06:25 2134528]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartupDelayer"="C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe" [2006-08-03 03:20 21504]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2006-12-19 19:37 36952]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 09:39 98304]
"LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 18:32 155648]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"GhostSecuritySuite"="C:\Program Files\GhostSecuritySuite\gss.exe" [2008-04-10 16:36 1302528]
"DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [2004-03-04 11:36 211828]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 16:19 79224]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-11-18 14:01 1115728]
"!1_pgaccount"="C:\Program Files\ProcessGuard\pgaccount.exe" [2005-01-20 15:14 184320]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-04-25 10:31 333120]
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2006-11-27 16:18 1582616]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2008-06-05 16:46 1046688]
"VEngine"="C:\Program Files\Comodo\VEngine\VEngine.exe" [2008-05-08 17:44 335616]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 06:18 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 18:23 443968]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"KeyScrambler"="C:\Program Files\KeyScrambler\getting_started.html" [X]
 
C:\Documents and Settings\Will Schmidt\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]
 
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-03-14 13:14:44 125624]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 22:44:08 262944]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
 
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-11-21 14:50 233472]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-27 09:01 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
 
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=  
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=      
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP53"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP59"= SP5X_32.DLL
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Digital Turtlets
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Digital Turtlets\SpamBrave for Outlook Express]
 [X]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Digital Turtlets\SpamBrave Lite for Outlook Express]
--a------ 2007-03-12 11:39 110592 C:\Program Files\Digital Turtlets\SpamBrave Lite for Outlook Express\oewatcher.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
 
R0 bxShield;BAxBEx File Protector;C:\WINDOWS\system32\Drivers\bxShield.sys []
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 16:20]
R1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\lvsound2.sys [2001-09-24 09:38]
R1 TSKNF700.SYS;TSKNF700.SYS;C:\WINDOWS\system32\Drivers\TSKNF700.SYS [2006-10-24 16:29]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 16:16]
R2 DCSPGSRV;DiamondCS Process Guard Service v3.000;"C:\Program Files\ProcessGuard\dcsuserprot.exe" [2005-01-20 15:25]
R2 FSService;FSService;C:\Program Files\Folder Shield\FSService.exe [2006-04-13 14:05]
R2 procguard;procguard;C:\WINDOWS\system32\drivers\procguard.sys [2005-01-20 15:13]
R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2008-03-22 14:37]
R3 LVBulk;LVBulk Service;C:\WINDOWS\system32\DRIVERS\LVBulk.sys [2001-09-24 09:39]
R3 LVVI500A;LVVI500A Service;C:\WINDOWS\system32\DRIVERS\lvvi500a.sys [2001-09-20 03:39]
S3 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;C:\DOCUME~1\WILLSC~1\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sy s []
 
.
Contents of the 'Scheduled Tasks' folder
"2008-07-03 23:30:05 C:\WINDOWS\Tasks\Advanced WindowsCare V2 Pro.job"
- C:\Program Files\IObit\Advanced WindowsCare V2 Pro\AutoCare.exe
"2008-06-05 03:00:16 C:\WINDOWS\Tasks\AwcProUpdate.job"
- C:\Program Files\IObit\Advanced WindowsCare V2 Pro\AutoUpdate.ex
- C:\Program Files\IObit\Advanced WindowsCare V2 Pro\
.
************************************************************************ **
 
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 14:19:11
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ...
 
scanning hidden files ...  
 
 
C:\Program Files\Spiceworks
C:\WINDOWS\system32\drivers\bxShield.sys 45056 bytes executable
C:\WINDOWS\system32\fsbx.ini 805 bytes
 
scan completed successfully
hidden files: 3
 
************************************************************************ **
.
Completion time: 2008-07-04 14:20:38
ComboFix-quarantined-files.txt  2008-07-04 21:20:33
 
Pre-Run: 45,187,141,632 bytes free
Post-Run: 45,183,631,360 bytes free
 
189--- E O F ---2008-06-21 03:55:15
 
 
IP Logged
Use of COMODO Internet Security products is not only advised; use is "Highly Recommended"

http://Comodo.com

LIVE LIKE YOU MEAN IT! THINK LIKE YOU CARE!
wilpower
Junior Member
**





   


Posts: 67
Re: RootKits and "Spiceworks"
« Reply #3 on: Jul 4th, 2008, 4:28pm »		 Quote Quote  Modify Modify
Thanks Siliconman01:
Here is the HyJack Log:
 
Logfile of HijackThis v1.99.1
Scan saved at 2:26:18 PM, on 04/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Comodo\VEngine\VEngine.exe
C:\Program Files\DS Clock\dsclock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AutoSizer\AutoSizer.exe
C:\Program Files\Vista Start Menu\VistaStartMenu.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Folder Shield\FSService.exe
C:\Program Files\Folder Shield\fsp.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TrojanHunter 5.0\TrojanHunter.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\LetMeSee This\LetMeSeeThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
F3 - REG:win.ini: load=  
F3 - REG:win.ini: run=  
O2 - BHO: (no name) - {06647158-359E-4D10-A8DE-E6145DA90BE9} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Comodo VerificationEngine Browser Helper NEW - {A968A4B4-C492-4834-B651-17602C3885C8} - C:\Program Files\Comodo\VEngine\VEngineIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GhostSecuritySuite] "C:\Program Files\GhostSecuritySuite\gss.exe" -minimize
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [VEngine] C:\Program Files\Comodo\VEngine\VEngine.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG Status\MSGTAGStatus.exe" /startup
O4 - HKCU\..\Run: [DS Clock] "C:\Program Files\DS Clock\dsclock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Calendarscope] "C:\Program Files\Calendarscope\cs.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe"
O4 - HKCU\..\Run: [VistaStartMenu] "C:\Program Files\Vista Start Menu\VistaStartMenu.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute 2008\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute 2008\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qt activex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.0.0971.28/WinSSWebAgent.CAB  
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1149892927018
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1149959723735
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O20 - AppInit_DLLs:  
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FSService - Unknown owner - C:\Program Files\Folder Shield\FSService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: Messenger Sharing USN Journal Reader service (usnsvc) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
 
IP Logged
Use of COMODO Internet Security products is not only advised; use is "Highly Recommended"

http://Comodo.com

LIVE LIKE YOU MEAN IT! THINK LIKE YOU CARE!
wilpower
Junior Member
**





   


Posts: 67
Re: RootKits and "Spiceworks"
« Reply #4 on: Jul 4th, 2008, 4:45pm »		 Quote Quote  Modify Modify
Here is the log from BlackLight......  
 
What the freak is Spiceworks and what's it for!!! Huh
 
07/03/08 18:01:52 [Info]: BlackLight Engine 1.0.70 initialized
07/03/08 18:01:52 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/03/08 18:01:52 [Note]: 7019 4
07/03/08 18:01:52 [Note]: 7005 0
07/03/08 18:02:24 [Note]: 7006 0
07/03/08 18:02:24 [Note]: 7011 2184
07/03/08 18:02:24 [Note]: 7035 0
07/03/08 18:02:25 [Note]: 7026 0
07/03/08 18:02:25 [Note]: 7026 0
07/03/08 18:02:31 [Note]: FSRAW library version 1.7.1024
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\data\kuids.yaml
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\db\spiceworks_prod.db
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\log\production.log
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\log\questions.log
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\log\startup.log
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\bin\libeay32.dll
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\bin\iconv.dll
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\bin\spiceworks.exe
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\bin\sqlite3.dll
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\bin\ssleay32.dll
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\bin\zlib.dll
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\1.8\i386-mswin32\iconv.so
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\1.8\i386-mswin32\bigdecimal.so
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\1.8\i386-mswin32\digest\md5.so
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\1.8\i386-mswin32\digest\sha1.so
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\1.8\i386-mswin32\digest\sha2.so
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\1.8\i386-mswin32\enumerator.so
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\1.8\i386-mswin32\etc.so
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\1.8\i386-mswin32\fcntl.so
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\1.8\i386-mswin32\nkf.so
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\1.8\i386-mswin32\openssl.so
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\1.8\i386-mswin32\racc\cparse.so
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\1.8\i386-mswin32\socket.so
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\1.8\i386-mswin32\stringio.so
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\1.8\i386-mswin32\strscan.so
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\1.8\i386-mswin32\syck.so
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\1.8\i386-mswin32\Win32API.so
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\1.8\i386-mswin32\win32ole.so
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\1.8\i386-mswin32\zlib.so
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\gems\1.8\gems\mongrel-1.0.1\lib\http11.so  
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\gems\1.8\gems\fastthread-0.6.2\lib\fastth rea
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\gems\1.8\gems\ldap-0.9.7.1\lib\ldap.so
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\gems\1.8\gems\sqlite3-ruby-1.2.1\lib\sqli te3
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:02:35 [Info]: Hidden file: c:\Program Files\Spiceworks\ruby\lib\ruby\gems\1.8\gems\win32-service-0.5.0-mswin32 \li
07/03/08 18:02:35 [Note]: 7002 0
07/03/08 18:02:35 [Note]: 7003 1
07/03/08 18:02:35 [Note]: 10002 3
07/03/08 18:03:26 [Info]: Hidden file: c:\Program Files\Folder Shield\fsp.exe
07/03/08 18:03:26 [Note]: 10002 1
07/03/08 18:09:25 [Info]: Hidden file: c:\WINDOWS\system32\fsbx.ini
07/03/08 18:09:25 [Note]: 10002 1
07/03/08 18:09:33 [Info]: Hidden file: c:\WINDOWS\system32\drivers\bxShield.sys
07/03/08 18:09:33 [Note]: 7002 0
07/03/08 18:09:33 [Note]: 7003 1
07/03/08 18:09:33 [Note]: 10002 1
IP Logged
Use of COMODO Internet Security products is not only advised; use is "Highly Recommended"

http://Comodo.com

LIVE LIKE YOU MEAN IT! THINK LIKE YOU CARE!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5661
Re: RootKits and "Spiceworks"
« Reply #5 on: Jul 4th, 2008, 5:19pm »		 Quote Quote  Modify Modify
Combofix did find an infection and GMER is showing some hidden items.  
 
Quote:
C:\WINDOWS\system32\drivers\bxShield.sys 45056 bytes executable
C:\WINDOWS\system32\fsbx.ini 805 bytes

 
The above are from Folder Shield which is okay.  
 
As with Blacklight, GMER is seeing SpiceWorks too.  
 
-  Do you have a visible folder under C:\Program Files that is named SpiceWorks?  
-  Is there an uninstaller for SpiceWorks in your Control Panel>Add and Remove Programs?
 
Your Hijackthis log is showing some things that need correction too.
 
Please do the following?
 
1.  Run another Hijackthis scan.
 
2.  When the scan is completed, check mark the following items in the Hijackthis scan window.  BE SURE that these are the only items checked.
 

   F3 - REG:win.ini: load=
 
 
F3 - REG:win.ini: run=
 
 
O2 - BHO: (no name) - {06647158-359E-4D10-A8DE-E6145DA90BE9} - (no file)
 
 
O20 - AppInit_DLLs:
 
3.  Close your browser window
 
4.  Click on Fix Checked located at the lower left of the Hijackthis window.  Confirm that you want the items fixed and let HJT fix them.
 
5.  Close Hijackthis and reboot immediately.
 
Also:
 
Your Java is out-of-date (C:\Program Files\Java\jre1.6.0_05).  Update 6 has been available for some time.
 
1.  Go to the link below and download Java Runtime Environment (JRE) 6 Update 6
 
http://java.sun.com/javase/downloads/index.jsp
 
2.  Install the Java Update
 
3.  Once the installation is completed, go to Control Panel>Add and Remove Programs.
 
4.  Uninstall all older updates of Java.  
 
Then please post a new Hijackthis scan log.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5661
Re: RootKits and "Spiceworks"
« Reply #6 on: Jul 4th, 2008, 5:27pm »		 Quote Quote  Modify Modify
In addition to my post above:
 
I found a forum that says this about SpiceWorks.  
 
Quote:
It's not hacking software... it's network/asset inventory and troubleshooting/monitoring software.

 
Are you sure you haven't downloaded/installed this software in the past?
 
Also this website:
 
http://www.techworld.com/networking/reviews/index.cfm?reviewid=560
 
« Last Edit: Jul 4th, 2008, 5:29pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
wilpower
Junior Member
**





   


Posts: 67
Re: RootKits and "Spiceworks"
« Reply #7 on: Jul 4th, 2008, 5:52pm »		 Quote Quote  Modify Modify
Thanks greatly for your experience:
First I do use Folder Shield so I new no problem here.
Secondly, the first strategy to investigate SpiceWorks, because I did not recognise was to attempt to locate by all means available but No visible files anywhere.
Finally, I am sure I did not DL these file knowingly. Now How do I delete them?
Also I'll run another HJthis and correct as per your direction. Grin
IP Logged
Use of COMODO Internet Security products is not only advised; use is "Highly Recommended"

http://Comodo.com

LIVE LIKE YOU MEAN IT! THINK LIKE YOU CARE!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5661
Re: RootKits and "Spiceworks"
« Reply #8 on: Jul 4th, 2008, 6:14pm »		 Quote Quote  Modify Modify
Is your computer used on company/office network?  This almost sounds like something an IT group has installed on its network computers.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
wilpower
Junior Member
**





   


Posts: 67
Re: RootKits and "Spiceworks"
« Reply #9 on: Jul 4th, 2008, 6:23pm »		 Quote Quote  Modify Modify
Hey Siliconman01.
No, it's a mystery to me. Kinda is whiggn me out! Why are the files hidden is more to the point, and how now to delete.
 
Hjthis would not "fix" or could not delete the final entry you wanted checked... 020  
Here is new log showing 020 still visible
 
 
Logfile of HijackThis v1.99.1
Scan saved at 4:18:47 PM, on 04/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Folder Shield\FSService.exe
C:\Program Files\Folder Shield\fsp.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\ProcessGuard\procguard.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\GhostSecuritySuite\gss.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Comodo\VEngine\VEngine.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\MSGTAG Status\MSGTAGStatus.exe
C:\Program Files\DS Clock\dsclock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AutoSizer\AutoSizer.exe
C:\Program Files\Vista Start Menu\VistaStartMenu.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\MemoryBoost\MemoryBoost.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe
C:\Program Files\LetMeSee This\LetMeSeeThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Comodo VerificationEngine Browser Helper NEW - {A968A4B4-C492-4834-B651-17602C3885C8} - C:\Program Files\Comodo\VEngine\VEngineIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GhostSecuritySuite] "C:\Program Files\GhostSecuritySuite\gss.exe" -minimize
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [VEngine] C:\Program Files\Comodo\VEngine\VEngine.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG Status\MSGTAGStatus.exe" /startup
O4 - HKCU\..\Run: [DS Clock] "C:\Program Files\DS Clock\dsclock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Calendarscope] "C:\Program Files\Calendarscope\cs.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe"
O4 - HKCU\..\Run: [VistaStartMenu] "C:\Program Files\Vista Start Menu\VistaStartMenu.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute 2008\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute 2008\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qt activex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.0.0971.28/WinSSWebAgent.CAB  
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1149892927018
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1149959723735
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O20 - AppInit_DLLs:  
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FSService - Unknown owner - C:\Program Files\Folder Shield\FSService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: Messenger Sharing USN Journal Reader service (usnsvc) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
 
IP Logged
Use of COMODO Internet Security products is not only advised; use is "Highly Recommended"

http://Comodo.com

LIVE LIKE YOU MEAN IT! THINK LIKE YOU CARE!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5661
Re: RootKits and "Spiceworks"
« Reply #10 on: Jul 4th, 2008, 11:05pm »		 Quote Quote  Modify Modify
For added security protection, be sure to update your Java to Update 6 as per the instructions I provided above.
 
I suspect that Folder Shield has hidden the SpiceWorks folder and all its contents, including the uninstaller for SpiceWorks.  I am not a Folder Shield user, but this is what its basic purpose is, right?  To hide entire folders.
 
See if you can get Folder Shield to unhide SpiceWorks.
 
Also:
 
You should delete Combofix.exe, the Combofix log file, and the ComboFix quarantine folder named Qoobox from your computer.  Most AV scanners do not like Combofix.exe because it uses techniques like the hackers to remove the hacker software.  
 
Plus if you need to run Combofix in the future, you should download the very latest version to pick up any updates.
« Last Edit: Jul 5th, 2008, 5:08am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
wilpower
Junior Member
**





   


Posts: 67
Re: RootKits and "Spiceworks"
« Reply #11 on: Jul 5th, 2008, 10:37am »		 Quote Quote  Modify Modify
Thanks for all your time: I feel more at ease now.
I have updated Java and will look into Folder Shield for Spiceworks.
What should happen with this entry you instructed to check for deletion that HJthis would not/could not delete/fix:  
 
   O20 - AppInit_DLLs:
 
Thanks Siliconman01. Cool
IP Logged
Use of COMODO Internet Security products is not only advised; use is "Highly Recommended"

http://Comodo.com

LIVE LIKE YOU MEAN IT! THINK LIKE YOU CARE!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5661
Re: RootKits and "Spiceworks"
« Reply #12 on: Jul 5th, 2008, 10:48am »		 Quote Quote  Modify Modify
Quote:
What should happen with this entry you instructed to check for deletion that HJthis would not/could not delete/fix:  
 
   O20 - AppInit_DLLs:

 
It "may" be associated with Folder Shield.  If it is not associated with Folder Shield, it is not hurting anything as is because it is showing no DLL(s) for starting up.  Normally it would be something like  
 
O20 - AppInit_DLLs: StartThisDll.dll
« Last Edit: Jul 5th, 2008, 10:49am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register